b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n\n       Fiscal Year 2006\n       Federal Information Security\n       Management Act Report\n\n       Status of EPA\xe2\x80\x99s Computer Security Program\n\n\n       Report No. 2006-S-00008\n\n\n       September 25, 2006\n\x0cReport Contributors: \t   Rudolph M. Brevard\n                         Neven Morcos\n                         William Coker\n                         Warren Brooks\n                         Sabrena Stewart\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                      OFFICE OF \n\n                                                                                 INSPECTOR GENERAL\n\n\n\n                                      September 25, 2006\n\nMEMORANDUM\n\nSUBJECT:            Fiscal Year 2006 Federal Information Security\n                    Management Act Report\n\nTO:                 Stephen L. Johnson\n                    Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Fiscal Year 2006 Federal Information\nSecurity Management Act Report, as prescribed by the Office of Management and Budget\n(OMB). This report includes the results of our annual security review and highlights the efforts\nto secure and protect the Agency\xe2\x80\x99s information assets.\n\nAlthough the Agency has made substantial progress to improve its security program, the OIG\nidentified weaknesses in the Agency\xe2\x80\x99s incident reporting practices. These weaknesses contribute\nto (1) the incident reporting program not being fully implemented and (2) all security incidents\nnot being reported. As a result, the OIG answered \xe2\x80\x9cNO\xe2\x80\x9d to question 7a in the OMB reporting\ntemplate. Also included is Appendix A, which synopsizes the results of our significant Fiscal\nYear 2006 information security audits.\n\nIn accordance with OMB reporting instructions, I am forwarding this report to you for\nsubmission, along with the Agency\xe2\x80\x99s required information, to the Director, Office of\nManagement and Budget.\n\n                                                Sincerely,\n\n\n\n                                                Bill A. Roderick\n                                                Acting Inspector General\n\nAttachment\n\ncc: \t Assistant Administrator for Environmental Information and Chief Information Officer\n      Director, Office of Technology Operations and Planning\n      Senior Agency Information Security Officer\n\x0c                                                                                                                                         Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                                                                      Environmental Protection Agency\n\n\n\n\n                                                                                                                                                               Question 1 and 2\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau,\nidentify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n                 To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n                 1) Continue to use NIST Special Publication 800-26, or,\n                 2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n                 Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the requirements of law. Self reporting by another Federal agency, for example, a Federal service\n                 provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n2. For each part of this question, identify actual performance in FY 06 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems which have completed the following: have a current certification and accreditation , a\ncontingency plan tested within the past year, and security controls tested within the past year.\n\n                                                                                                                                                              Question 1                                                                                                       Question 2\n\n\n                                                                                                                                                                                                                                                                                                               c.\n                                                                                                                                                                                                                                                                             b.                   Number of systems for which\n                                                                                                                                                                                                                                          a.                  Number of systems for which      contingency plans have been tested\n                                                                                                                            a.                                  b.                                   c.                     Number of systems certified and security controls have been tested    in accordance with policy and\n                                                                                                                   FY 06 Agency Systems              FY 06 Contractor Systems          FY 06 Total Number of Systems                  accredited              and evaluated in the last year                guidance\n\n\n                                                                                                                                                                        Number                               Number\nBureau Name                                                                   FIPS 199 Risk Impact Level       Total Number     Number Reviewed Total Number           Reviewed        Total Number         Reviewed        Total Number       Percent of Total   Total Number       Percent of Total    Total Number       Percent of Total\nOffice of Administrator                                                        High                                         0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                     2                    0               0                 0                  2                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Low                                          1                    0               0                 0                  1                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                       3                    0               0                 0                  3                 0                  0              0.0%                   0               0.0%                   0                 0.0%\nOffice of Air and Radiation                                                    High                                         1                    0               0                 0                  1                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                    12                    0               0                 0                 12                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Low                                          6                    0               2                 0                  8                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                      19                    0               2                 0                 21                 0                  0              0.0%                   0               0.0%                   0                 0.0%\nOffice of Administration and Resource Management                               High                                         0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                    10                    0               2                 0                 12                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Low                                          1                    0               0                 0                  1                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                      11                    0               2                 0                 13                 0                  0              0.0%                   0               0.0%                   0                 0.0%\nOffice of Chief Financial Officer                                              High                                         0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                    16                    2               0                 0                 16                 2                  2            100.0%                   2             100.0%                   2               100.0%\n                                                                               Low                                          2                    0               0                 0                  2                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                      18                    2               0                 0                 18                 2                  2            100.0%                   2             100.0%                   2               100.0%\nOffice of Enforcement and Compliance Assurance                                 High                                         1                    0               0                 0                  1                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                     8                    0               0                 0                  8                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Low                                          2                    0               0                 0                  2                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                      11                    0               0                 0                 11                 0                  0              0.0%                   0               0.0%                   0                 0.0%\nOffice of Environmental Information                                            High                                         1                    0               0                 0                  1                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Moderate                                    17                    0               5                 0                 22                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                               Low                                         15                    1               3                 0                 18                 1                  1            100.0%                   1             100.0%                   1               100.0%\n                                                                               Not Categorized                              0                    0               0                 0                  0                 0                  0              0.0%                   0               0.0%                   0                 0.0%\n                                                                            Sub-total                                      33                    1               8                 0                 41                 1                  1            100.0%                   1             100.0%                   1               100.0%\n\n\n\n\n                                                                                                                                                                       1\n\x0cOffice of General Counsel                                 High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nOffice of International Activiities                       High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nOffice of the Inspector General                           High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           5   0   0        0    5   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                3   0   0        0    3   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             8   0   0        0    8   0   0   0.0%   0   0.0%   0   0.0%\nOffice of Prevention Pesticides and Toxic Substances      High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           7   0   0        0    7   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             8   0   0        0    8   0   0   0.0%   0   0.0%   0   0.0%\nOffice of Research and Development                        High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           8   0   0        0    8   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                6   0   0        0    6   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total            14   0   0        0   14   0   0   0.0%   0   0.0%   0   0.0%\nOffice of Solid Waste and Emergency Response              High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           5   0   1        0    6   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                4   0   2        1    6   1   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             9   0   3        1   12   1   0   0.0%   0   0.0%   0   0.0%\nOffice of Water                                           High               1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           8   0   1        1    9   1   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   1        1    1   1   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             9   0   2        2   11   2   0   0.0%   0   0.0%   0   0.0%\nRegion 1                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nRegion 2                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           2   0   0        0    2   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             2   0   0        0    2   0   0   0.0%   0   0.0%   0   0.0%\nRegion 3                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nRegion 4                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nRegion 5                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           2   0   0        0    2   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             3   0   0        0    3   0   0   0.0%   0   0.0%   0   0.0%\nRegion 6                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Moderate           1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Low                0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                          Not Categorized    0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n                                                       Sub-total             1   0   0        0    1   0   0   0.0%   0   0.0%   0   0.0%\nRegion 7                                                  High               0   0   0        0    0   0   0   0.0%   0   0.0%   0   0.0%\n\n\n\n\n                                                                                         2\n\n\x0c                                                                           Moderate                                   1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Low                                        0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Not Categorized                            0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                        Sub-total                                     1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\nRegion 8                                                                   High                                       0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Moderate                                   1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Low                                        1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Not Categorized                            0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                        Sub-total                                     2                  0               0                0                 2                0                0              0.0%                 0               0.0%                  0                  0.0%\nRegion 9                                                                   High                                       0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Moderate                                   1                  0               1                1                 2                1                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Low                                        0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Not Categorized                            0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                        Sub-total                                     1                  0               1                1                 2                1                0              0.0%                 0               0.0%                  0                  0.0%\nRegion 10                                                                  High                                       0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Moderate                                   0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Low                                        1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                           Not Categorized                            0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                        Sub-total                                     1                  0               0                0                 1                0                0              0.0%                 0               0.0%                  0                  0.0%\n\n                                                                        Sub-total                                  159                   3             18                4               177                 7                3             42.9%                 3             42.9%                   3                  42.9%\n\nAgency Totals                                                               High                                      4                  0               0                0                 4                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                            Moderate                                111                  2             10                 2              121                 4                2             66.7%                 2             66.7%                   2                  66.7%\n                                                                            Low                                      44                  1               8                2                52                3                1             33.3%                 1             33.3%                   1                  33.3%\n                                                                            Not Categorized                           0                  0               0                0                 0                0                0              0.0%                 0               0.0%                  0                  0.0%\n                                                                        Total                                       159                  3             18                 4              177                 7                3             42.9%                 3             42.9%                   3                  42.9%\n\n\n\nComments: The Office of Inspector General (OIG) and the Agency agree on the number of EPA systems. The Agency is reporting 173 FISMA reportable systems and the OIG is reporting 177. The OIG identified four contractor systems that were not included in the Agency\xe2\x80\x99s inventory. Subsequent to the finding, the Agency\nincluded the four systems in its system inventory and categorized the sensitivity of the data in these systems. The Agency did not include the four systems in its final FISMA reporting numbers because the systems are currently being evaluated.\n\n\n\n\n                                                                                                                                                              3\n\n\x0c                                                                                                                                                               Question 3\n\n\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n\n\n                                                                          The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf\n                                                                          of the agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy. Self-reporting of NIST Special\n                                                                          Publication 800-26 requirements by a contractor or other organization is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n\n                                                                          Response Categories:\n                                   3.a.                                         Rarely, for example, approximately 0-50% of the time                                                                                                       - Almost Always, for example, approximately 96-100% of the time\n                                                                                Sometimes, for example, approximately 51-70% of the time\n                                                                          -     Frequently, for example, approximately 71-80% of the time\n                                                                          -     Mostly, for example, approximately 81-95% of the time\n                                                                          -     Almost Always, for example, approximately 96-100% of the time\n                                                                          -\n                                                                          -\n\n\n\n\n                                                                          The agency has developed an inventory of major information systems (including major national security systems) operated by or under the control of such\n                                                                          agency, including an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the\n                                                                          control of the agency.\n\n                                                                          Response Categories:\n                                   3.b.                                         Approximately 0-50% complete                                                                                                                                      Approximately 96-100% complete\n                                                                                Approximately 51-70% complete\n                                                                          -     Approximately 71-80% complete                                                                                                                              -\n                                                                          -     Approximately 81-95% complete\n                                                                          -     Approximately 96-100% complete\n                                                                          -\n                                                                          -\n\n\n\n\n                                   3.c.                                   The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                                                                 Yes\n\n\n\n\n                                                                          The OIG generally agrees with the CIO on the number of information systems\n                                   3.d.                                   used or operated by a contractor of the agency or other organization on behalf of   the agency.                                                                                                              Yes\n\n\n\n\n                                   3.e.                                   The agency inventory is maintained and updated at least annually.                                                                                                                                            Yes\n\n\n\n\n                                   3.f.                                   The agency has completed system e-authentication risk assessments.                                                                                                                                           Yes\n\n\n\n\nComment: 3.a. Based on OIG work done to supplement FY 2006 FISMA, we found that the Agency needs to improve process for identifying and monitoring contractor systems.\n:\n\n\n\n\n                                                                                                                                                                    4\n\x0c                                                                                                                                                                 Question 4\n\n\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the following statements reflect the status in your agency by choosing from the responses provided in the\ndrop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n        Rarely, for example, approximately 0-50% of the time\n        Sometimes, for example, approximately 51-70% of the time\n-       Frequently, for example, approximately 71-80% of the time\n-       Mostly, for example, approximately 81-95% of the time\n-       Almost Always, for example, approximately 96-100% of the time\n-\n-\n\n\n\n\n                                                                         The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information systems used or operated by the agency\n                                    4.a.                                                                                                                                                                                        - Almost Always, for example, approximately 96-100% of the time\n                                                                         or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n\n                                                                         When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop, implement, and manage POA&Ms for\n                                    4.b.\n                                                                         their system(s).                                                                                                                                          - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                    4.c.                                 Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation progress.                        - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                    4.d.                                 CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                                             - Almost Always, for example, approximately 96-100% of the time\n\n\n\n                                    4.e.                                 OIG findings are incorporated into the POA&M process.                                                                                                     - Almost Always, for example, approximately 96-100% of the time\n\n\n\n                                                                         POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a timely manner and receive\n                                    4.f.\n                                                                         appropriate resources                                                                                                                                    - Almost Always, for example, approximately 96-100% of the time\n\n\n\nComment: 4.e.\n\n\n\n\n                                                                                                                                                                      5\n\x0c                                                                                                                                                                      Question 5\n\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security\nCertification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated\nNIST documents used as guidance for completing risk assessments and security plans .\n\n\n\n\n                                                                            Assess the overall quality of the Department's certification and accreditation process.\n\n                                                                            Response Categories:\n                                                                                  Excellent\n                                                                                  Good                                                                                                                                                      - Satisfactory\n                                                                            -     Satisfactory\n                                                                            -     Poor\n                                                                            -     Failing\n                                                                            -\n                                                                            -\n\n\n\nComments: EPA has sufficiently published C&A policies. However, we found the Agency's overall processes for implementing C&A policies and procedures need improvement. Proior audit work identified major applications without up-to-date authorizations to operate, risk assessments, and other key security documents.\n\n\n\n\n                                                                                                                                                                          6\n\x0c                                                                             Section C: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                       Environmental Protection Agency\n\n\n                                                                                                  Question 6\n\n            Is there an agency wide security configuration policy?\n    6.a.                                                                                                                                                               Yes\n            Yes or No.\n\n            Comments:\n\n\n\n            Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy. Indicate whether or not any agency\n   6.b.\n            systems run the software. In addition, approximate the extent of implementation of the security configuration policy on the systems running the software.\n\n\n\n\n                                                                                                                                 Approximate the extent of implementation of the security configuration policy\n                                                                                                                                 on the systems running the software.\n\n                                                                                                                                 Response choices include:\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the\n\n                                                                                                                                 -systems running\n                                                                                                                                    Sometimes,    this\n                                                                                                                                               or on   software\n                                                                                                                                                     approximately 51-70% of\n\n                                                                                                                                 -the systems running\n                                                                                                                                    Frequently,        this software 71-80% of\n                                                                                                                                                or on approximately\n                                                            Addressed in agencywide\nProduct                                                             policy?                  Do any agency systems run this      -the systems\n                                                                                                                                    Mostly,    running\n                                                                                                                                            or on      this software\n                                                                                                                                                  approximately  81-95% of the\n                                                                                                       software?\n                                                                                                                                 systems\n                                                                                                                                 - Almostrunning\n                                                                                                                                          Always,this software\n                                                                                                                                                  or on approximately 96-100% of the systems running this\n                                                                     Yes, No,                                                    software\n                                                                      or N/A.                              Yes or No.\n\n           Windows XP Professional\n                                                                       Yes                                    Yes\n           Windows NT\n                                                                       Yes                                    Yes\n           Windows 2000 Professional\n                                                                       Yes                                    Yes\n           Windows 2000 Server\n                                                                       Yes                                    Yes\n           Windows 2003 Server\n                                                                       Yes                                    Yes\n           Solaris\n                                                                       Yes                                    Yes\n\n           HP-UX\n                                                                       N/A                                    No\n\n           Linux\n                                                                       Yes                                    Yes\n\n           Cisco Router IOS                                            Yes                                    Yes\n\n           Oracle\n                                                                       Yes                                    Yes\n\n           Other. Specify:\nComments: We did not conduct audit work to determine the extent of the Agency's implementation of the above operating systems. The OIG has programmed an operating system review in\nits FY07 audit plan.\n\n\n                                                                                                       7\n\x0c                                                                                                 Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n\n             The agency follows documented policies and procedures for identifying and reporting incidents internally.\n    7.a.                                                                                                                                                                 No\n             Yes or No.\n\n             The agency follows documented policies and procedures for external reporting to law enforcement\n    7.b.     authorities.                                                                                                                                               Yes\n             Yes or No.\n             The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n    7.c.     Team (US-CERT). http://www.us-cert.gov                                                                                                                     Yes\n             Yes or No.\nComments: EPA has established Agency-wide policies and procedures for reporting security incidents. However, we found in supplementing our FY 2006 FISMA audit that EPA needs to\ntake further steps to (1) implement its incident handling program to ensure all violations are consistently reported; (2) develop and train personnel on local incident reporting procedures; (3)\nimplement its centralized virus/spyware/malware reporting system, and (4) make security trend information available. We plan to issue a separate report on EPA's incident reporting practices\nin November 2006.\n\n                                                                                                 Question 8\n\n             Has the agency ensured security training and awareness of all employees, including contractors and those\n             employees with significant IT security responsibilities?\n\n             Response Choices include:\n             - Rarely, or, approximately 0-50% of employees have sufficient training\n     8        - Sometimes, or approximately 51-70% of employees have sufficient training                                          - Almost Always, or approximately 96-100% of employees have sufficient training\n              - Frequently, or approximately 71-80% of employees have sufficient training\n              - Mostly, or approximately 81-95% of employees have sufficient training\n              - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                                                 Question 9\n\n\n\n             Does the agency explain policies regarding peer-to-peer file sharing in IT security awareness training,\n     9       ethics training, or any other agency wide training?                                                                                                        Yes\n             Yes or No.\n\nComments:\n\n\n\n\n                                                                                                       8\n\x0c                                                                                      Appendix A\n\n                 Summary of Significant Fiscal 2006 \n\n                     Security Control Audits \n\n\nDuring Fiscal Year 2006, EPA\xe2\x80\x99s Office of Inspector General (OIG) initiated numerous audits of\nEPA\xe2\x80\x99s information technology security program and information systems. The following\nsummary synopsizes key objectives and findings. Copies of all final reports are located on the\nOIG\xe2\x80\x99s Internet site at http://www.epa.gov/oig/publications.htm.\n\n1. EPA Could Improve Its Information Security by Strengthening Verification and\nValidation Processes, Report No. 2006-P-00002, October 17, 2005\n\nWe found that program offices had not effectively implemented processes to comply with\nFederal and EPA requirements related to information security. We found major applications\nwithout (1) adequate certification and accreditation, (2) contingency plans or testing of the plans,\nand (3) a process to monitor for known security vulnerabilities. As such, all security control\ndeficiencies are not reported in EPA\xe2\x80\x99s Plans of Action and Milestones system. EPA could have\ndiscovered these security deficiencies had it implemented processes to verify and validate\noffices\xe2\x80\x99 compliance with established Federal and Agency requirements. Therefore, the Chief\nInformation Officer is not receiving timely and accurate information with which to plan,\nimplement, evaluate, and report EPA\xe2\x80\x99s information technology security status and security\nremediation activities to the Office of Management and Budget.\n\n2. EPA Could Improve Physical Access and Service Continuity/Contingency\nControls for Financial and Mixed-Financial Systems Located at its Research\nTriangle Park Campus, Report No. 2006-P-00005, December 14, 2005 W\n\nThe OIG contracted with KPMG, LLP, to audit physical access controls and service\ncontinuity/contingency planning controls for select financial and mixed-financial systems\nhosted at EPA\xe2\x80\x99s Research Triangle Park campus. KPMG found that controls needed to be\nimproved in areas such as visitor access to facilities, use of contractor access badges, and\ngeneral physical access to the National Computer Center, computer rooms outside the Center,\nand media storage rooms.\n\nControls also needed improvement in areas such as completing a business impact analysis,\napplication contingency plans, authorizing to move backup data between key facilities, and\nenvironmental controls. In many cases, EPA has in place compensating controls that help reduce\nthe risk of the above issues. However, KPMG believes that controls can be improved to further\nreduce the risks.\n\n\n\n\n                                               9\n\n\x0c3. \tInformation Security Series: Security Practices\n\nWe evaluated the information security practices of five Agency program offices. For each\nselected application, we evaluated the following security controls: certification and accreditation\npractices, application contingency plans, and processes used to test and evaluate security\ncontrols. Although the EPA offices complied with many of the reviewed security requirements,\nthey needed to improve information security practices to ensure that (1) key security documents\nare kept current whenever the system undergoes a major modification or significant change in\nprocessing and (2) risk assessments and contingency plans are developed and tested in a timely\nmanner. EPA offices could improve processes to ensure production servers are actively\nmonitored for known security vulnerabilities.\n\nWe issued the following five reports under this series:\n\n   \xc2\xbe\t Integrated Contract Management System, Report No. 2006-P-00010, January \n\n      31, 2006 \n\n   \xc2\xbe Comprehensive Environmental Response, Compensation, and Liability \n\n      Information System, Report No. 2006-P-00019, March 28, 2006 \n\n   \xc2\xbe Integrated Compliance Information System, Report No. 2006-P-00020, March \n\n      29, 2006 \n\n   \xc2\xbe Safe Drinking Water Information System, Report No. 2006-P-00021, March 30, \n\n      2006 \n\n   \xc2\xbe Clean Air Markets Division Business System, Report No. 2006-P-00024, May 4, \n\n      2006 \n\n\n4. Controls over Mainframe System Software\n\nThe overall objective was to determine the effectiveness of information system controls over the\nconfiguration of, access to, and modification of mainframe system software (including all\noperating systems, utilities, and security software) residing at the EPA\xe2\x80\x99s National Computer\nCenter. We plan to issue the final report in October 2006.\n\n5. Management Controls over Contractor-owned Systems that Contain EPA Data\nand Incident Reporting\n\nWe sought to determine whether EPA defined security requirements for contractor owned\nsystems that collect information on EPA\xe2\x80\x99s behalf. We also sought to determine whether EPA\noffices identified and reported all security incidents to EPA\xe2\x80\x99s Computer Security Incident\nResponse Capability, which is EPA\xe2\x80\x99s computer security incident reporting process. We plan to\nissue the final report in November 2006.\n\n\n\n\n                                              10 \n\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nActing Assistant Administrator for Environmental Information and Chief Information Officer\nAgency Followup Official\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                           11 \n\n\x0c"